b"                                        STATEMENT BY\n\n                                   JOHNNIE E. FRAZIER\n                                  INSPECTOR GENERAL\n                            U.S. DEPARTMENT OF COMMERCE\n\n                              BEFORE THE\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n                   COMMITTEE ON ENERGY AND COMMERCE\n                       HOUSE OF REPRESENTATIVES\n\n                                         AUGUST 3, 2001\n\n\n\nMr. Chairman and Members of the Committee, I am pleased to appear before you today to\n\ndiscuss the Office of Inspector General\xe2\x80\x99s (OIG) work and other activities related to the security\n\nand protection of the Department\xe2\x80\x99s critical information technology (IT) systems, programs, and\n\nactivities.\n\n\n\nThe Department of Commerce has numerous complex computer systems that provide essential\n\nservices to the public and support critical mission activities, such as the nation\xe2\x80\x99s weather\n\nservices, environmental stewardship, promotion of trade and economic growth, scientific\n\nresearch, and technological development. As the Department\xe2\x80\x99s systems have become more\n\ninterconnected, vulnerabilities have also increased, thus increasing the need to continuously\n\nimprove IT security measures. Strong IT security measures are vital to (1) protecting the privacy\n\nof information, (2) safeguarding the integrity of computer systems and their networks, and\n\n\n\n                                                  1\n\x0c(3) ensuring the availability of services to the American public and other users. I cannot\n\nemphasize too much how important these measures are.\n\n\n\nIndeed, in our recent Semiannual Reports to the Congress, we have identified \xe2\x80\x9cStrengthening\n\nDepartment-wide Information Security\xe2\x80\x9d as one of the top 10 management challenges facing the\n\nDepartment of Commerce because of that issue\xe2\x80\x99s:\n\n\n\n1.     Importance to the Department\xe2\x80\x99s mission and the nation\xe2\x80\x99s well-being,\n\n2.     Complexity and sizable expenditures, and\n\n3.     Need for significant management improvements.\n\n\n\nDuring the past year, we have engaged in a number of audit, inspection, evaluation, and other\n\nactivities involving Commerce IT security matters\xe2\x80\x94all aimed at strengthening IT security\n\nCommerce-wide. We have completed evaluations of the Department\xe2\x80\x99s efforts to implement its\n\nCritical Infrastructure Protection (CIP) plans. We also have assessed the Office of the Chief\n\nInformation Officer\xe2\x80\x99s (CIO) IT security policy and the effectiveness of its oversight of the\n\nDepartment\xe2\x80\x99s IT security program. In addition, we have evaluated the use of persistent Internet\n\n\xe2\x80\x9ccookies\xe2\x80\x9d and \xe2\x80\x9cweb bugs\xe2\x80\x9d on Commerce Internet sites. Furthermore, in support of the OIG\xe2\x80\x99s\n\nfiscal year 2000 financial statement audits, we have conducted security reviews of the\n\nDepartment\xe2\x80\x99s financial management systems and their related networks.\n\n\n\nMoreover, assessments of IT security policies and practices are often an integral part of the\n\noperational inspections we conduct of Commerce activities, units, and offices domestically and\n\noverseas. These inspections are intended to provide operating unit managers with useful, timely\n\ninformation about their operations, including IT security issues. IT security problems have also\n\n\n                                                 2\n\x0cbeen identified through our investigative work. In addition, we have worked closely with many\n\nof the Department\xe2\x80\x99s key IT managers, top security personnel, and senior program officials in an\n\neffort to identify the most critical IT security issues and help craft corrective measures. Let me\n\nbriefly summarize the results of some of our recent efforts.\n\n\n\nEarly Progress Made in Critical Infrastructure Protection,\n\nbut Planning and Implementation Have Slowed\n\n\n\nLast year, we evaluated the Department's CIP plan, identification of minimum essential\n\ninfrastructure (MEI) assets, and vulnerability assessments of its cyber-based assets. MEI assets\n\nare the physical and cyber-based assets essential to the minimum operations of the economy and\n\nthe government. Our evaluation found that although the Department had made initial progress by\n\ndeveloping a Department-wide CIP plan, identifying critical infrastructure assets, and initiating\n\nvulnerability assessments, there were several areas that warranted management attention:\n\n\n\n\xe2\x80\xa2      The Department's CIP plan needed to be strengthened because several of its elements\n\n       were outdated or missing, and important milestones had slipped. The asset inventory,\n\n       vulnerability assessment framework, and budget estimates included in the plan were not\n\n       current. The plan also did not include requirements for reviewing new assets to\n\n       determine whether they should be included as MEI assets, periodically updating\n\n       vulnerability assessments, or developing a system for responding to infrastructure attacks.\n\n\n\n\xe2\x80\xa2      The MEI asset inventory needed to be reevaluated because of limitations in data\n\n       gathering. In most cases, asset managers were neither interviewed nor given adequate\n\n\n                                                 3\n\x0c       guidance before filling out complex questionnaires used to gather asset information, and\n\n       the officials most knowledgeable about the assets were seldom interviewed because of\n\n       logistical problems and limited resources. Establishing a reliable MEI inventory is\n\n       important because it forms the basis for later activities, such as selecting the highest risk\n\n       assets for vulnerability assessments and taking remedial actions.\n\n\n\n\xe2\x80\xa2      Vulnerability assessments, remediation plans, and budget justifications needed to be\n\n       completed. Reportedly due to resource constraints, the Department had current\n\n       vulnerability assessments for less than 10 percent of MEI assets and had not developed\n\n       any remediation plans.\n\n\n\nThe CIO\xe2\x80\x99s office agreed with our findings and stated that the Department's focus would be on the\n\nbroad spectrum of IT security, which emphasizes assets critical to the Department's mission and\n\nincludes most cyber-based MEI assets. Short-term actions were identified to improve guidance\n\nto operating unit personnel involved in vulnerability assessments and increase their involvement\n\nin the MEI asset inventory, revise the MEI asset list, and evaluate new assets to determine\n\nwhether they should be included as MEI assets.\n\n\n\nAdditional Focus Needed on\n\nIT Security Policy and Oversight\n\n\n\nThe CIO is responsible for developing and implementing a departmental IT security program to\n\nensure the confidentiality, integrity, and availability of information and IT resources. The CIO\xe2\x80\x99s\n\nresponsibilities include developing policies, procedures, and directives for IT security and\n\nproviding oversight of the IT security programs of the Department's operating units.\n\n                                                 4\n\x0cWe conducted an evaluation to assess the CIO\xe2\x80\x99s policies and the effectiveness of his oversight of\n\nthe Department's IT security program. Our review focused on the CIO\xe2\x80\x99s compliance with laws\n\nand regulations governing IT security and his actions in recent years to oversee the Department's\n\nIT security program.\n\n\n\nWe found that although in the past IT security did not receive adequate attention, in more recent\n\nyears, the CIO's office had expanded its focus on and increased the resources devoted to IT\n\nsecurity. For example, the office conducted its first Department-wide assessment of IT security\n\nplanning in 1999 and reviewed operating unit self-assessments in 2000, which resulted in\n\nincreased compliance with security requirements. Nevertheless, policy and oversight need\n\nfurther improvements. Specifically:\n\n\n\n\xe2\x80\xa2      IT security policy needs to be revised and expanded. The Department's IT security\n\n       policy is out of date because it was developed in 1993 and 1995, prior to a significant\n\n       revision of OMB Circular A-130, which communicates policy on the security of federal\n\n       automated information resources. The policy is also missing important components\n\n       because it has not kept pace with recent trends in technology and related security threats.\n\n       The Department's policy must be kept current and complete because the operating units\n\n       use it as the foundation for their general and system-specific policies. We recommended\n\n       that the CIO\xe2\x80\x99s office update and expand its IT security policy as soon as possible.\n\n\n\n\xe2\x80\xa2      Additional IT security compliance procedures are needed. Security for many of the\n\n       Department's systems has not been adequately planned, and security reviews have not\n\n       been performed. In addition, several operating units do not have adequate awareness and\n\n                                                5\n\x0c       training programs or adequate capabilities for responding to IT security incidents. The\n\n       Government Information Security Reform Act (GISRA) requires the CIO\xe2\x80\x99s office to\n\n       conduct annual IT security evaluations in 2001 and 2002 similar to the self-assessments it\n\n       monitored in 2000. We recommended that the office commit to a program of reviews\n\n       that extends beyond GISRA\xe2\x80\x99s 2-year review requirement. Moreover, the CIO\xe2\x80\x99s office\n\n       should work with the Department's acquisition and budget managers to ensure that IT-\n\n       related procurement specifications include security requirements, and that funds for\n\n       meeting these requirements are included in operating unit budgets.\n\n\n\nDuring our evaluation of the Department\xe2\x80\x99s IT security policy, we provided the Department with a\n\nwritten analysis that identified weaknesses and deficiencies in the policy, and made\n\nrecommendations for specific changes to bring the policy into compliance with applicable laws\n\nand regulations.\n\n\n\nThe CIO\xe2\x80\x99s office agreed with all of our recommendations and cited a number of corrective\n\nactions it planned to take to implement them. Among other things, it agreed to revise, expand,\n\nand update the Department's IT security policy; continue its compliance review program beyond\n\nthe 2-year period required by GISRA; and begin security reviews as soon as possible.\n\n\n\nUse of Internet \xe2\x80\x9cCookies\xe2\x80\x9d and \xe2\x80\x9cWeb Bugs\xe2\x80\x9d\n\nRaised Privacy and Security Concerns\n\n\n\nWe evaluated the use of persistent Internet cookies and web bugs by departmental Internet sites,\n\nas well as the adequacy of the privacy statements posted on the main web pages of the\n\nDepartment and its operating units. We conducted our evaluation in response to Public Law 106-\n\n                                                6\n\x0c554, the Consolidated Appropriations Act of 2001, which required the Inspector General of each\n\nagency to submit a report to the Congress disclosing any activity regarding the collection of\n\ninformation relating to any individual's access or viewing habits on the agency's Internet sites.\n\n\n\nPersistent Internet cookies are data stored on web users' hard drives that can identify users'\n\ncomputers and track their browsing habits. Web bugs are software code that can monitor who is\n\nreading a web page. These technologies are capable of being employed in ways that could\n\nviolate the privacy of individuals visiting the Department\xe2\x80\x99s web sites and can also pose security\n\nthreats.\n\n\n\nWeb bugs are considered security threats because they can perform malicious actions, including\n\nsearching for the existence of specific information, such as financial information, on a user's hard\n\ndrive, and downloading files from, or uploading files to, a user's computer. A web user would be\n\nunaware of the presence of web bugs without using detection software. Even if such software\n\nwere used, the malicious actions performed by identified web bugs could go undetected.\n\n\n\nWe found that most of the Department's Internet sites do not use either persistent cookies or web\n\nbugs. However, we did find several instances in which persistent cookies were being used\n\nwithout a compelling reason or the approval of the Secretary, as required by Department and\n\nOMB policy. We also found a number of web pages using web bugs. At the time we began our\n\nevaluation, the Department did not have a policy regulating web bug use, but it promptly\n\ndeveloped and issued one when informed of the problem. Finally, we found that many of the\n\noperating units' privacy statements did not provide all of the information required by the\n\nDepartment's privacy policy.\n\n\n\n                                                  7\n\x0cWe recommended that the Department's CIO direct operating unit CIOs and senior management\n\nto implement a strategy to control the use of persistent cookies and web bugs and to certify\n\nannually that the operating unit is in compliance with the Department's applicable policies. We\n\nalso recommended that the CIO direct operating unit CIOs and senior managers to revise their\n\nprivacy policy statements to make them compliant with the Department's policy. The CIO\xe2\x80\x99s\n\noffice agreed with our findings and worked with us to help ensure that the cookies we had\n\nidentified were removed. The Secretary of Commerce\xe2\x80\x99s new Special Assistant for Privacy is\n\nworking to remove all web bugs and develop a uniform privacy policy statement.\n\n\n\nSystems Security Audits of Departmental\n\nFinancial Management Systems Reveal Problems\n\n\n\nOur audits of Commerce operating units\xe2\x80\x99 financial statements, performed by certified public\n\naccounting (CPA) firms under contract with us, include security reviews of the Department\xe2\x80\x99s\n\nfinancial management systems and related networks that support the statements. Our CPA\n\ncontractors use GAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM) as a guide\n\nin performing these reviews. FISCAM provides guidance on assessing the reliability of\n\ncomputer-generated data that supports financial statements, including physical security and\n\nlogical access controls designed to prevent or detect unauthorized access or intrusion into\n\nsystems and networks.\n\n\n\nIn 1999 we adopted a systems security review strategy that provides for full coverage of each\n\nfinancial management system and its related networks on a two-year basis. Every two years, a\n\nreview addresses the six systems security areas identified in FISCAM: (1) entitywide security\n\nprogram planning and management, (2) access controls, (3) application software development\n\n                                                 8\n\x0cand change control, (4) systems software, (5) segregation of duties, and (6) service continuity. In\n\nthe alternate years, we routinely conduct penetration testing (in which someone playing the role\n\nof a hostile attacker tries to compromise systems security) and application-level testing. Review\n\nof the system environment for significant changes and follow-up on open recommendations\n\noccurs annually.\n\n\n\nThe audits of operating units\xe2\x80\x99 individual fiscal year 2000 financial statements included reviews\n\nof the general system controls over the major financial management systems at the seven data\n\nprocessing locations. In the reports on our audits of the Department\xe2\x80\x99s fiscal year 1999 and 2000\n\nconsolidated financial statements, we noted that these systems security reviews disclosed\n\nweaknesses in controls over major financial management systems at all seven locations that\n\nprovide data processing support. Specifically, these reviews found that:\n\n\n\n1.     Entitywide security program planning and management needed improvement at all seven\n\n       locations. This control is the foundation of an entity\xe2\x80\x99s security control structure and a\n\n       reflection of senior management\xe2\x80\x99s commitment to addressing security risks. It is intended\n\n       to ensure that security controls are adequate, consistently applied, and monitored, and that\n\n       responsibilities are clear and properly implemented.\n\n\n\n2.     Access controls for both operating systems and the financial management systems needed\n\n       strengthening at all seven locations, and monitoring of external and internal access to\n\n       systems needed strengthening at five locations. These controls should limit or monitor\n\n       access to computer resources to guard against unauthorized modification, loss, and\n\n       disclosure.\n\n\n\n                                                 9\n\x0c3.     Applications software development and change control needed improvement at four\n\n       locations. These controls should help prevent the implementation of unauthorized\n\n       programs or modifications to existing programs.\n\n\n\n4.     Systems software improvements were needed at four locations. Controls in this area\n\n       should limit and monitor access to the important software programs that operate computer\n\n       hardware.\n\n\n\n5.     Segregation of duties improvements were needed at five locations. Appropriate controls\n\n       in this area include policies, procedures, and an organizational structure to prevent one\n\n       individual from controlling key aspects of computer-related operations, thus deterring\n\n       unauthorized actions or access to assets.\n\n\n\n6.     To ensure service continuity, contingency plans needed to be prepared, updated, or\n\n       improved at all seven locations. Appropriate controls in this area include procedures for\n\n       continuing critical operations, without interruption and with prompt resumption of those\n\n       operations, when unexpected events occur.\n\n\n\nOf particular note, among the weaknesses identified by the CPA firms in the area of entitywide\n\nsecurity program planning and management, was the fact that formal comprehensive security\n\nplans either did not exist, were outdated, or were not approved for the major financial\n\nmanagement systems and associated general support systems on which the applications were\n\nprocessed. In addition, risk assessments needed to be completed and approved, and security\n\nmonitoring needed to be performed.\n\n\n\n                                                10\n\x0cAt four locations, penetration testing was also performed on the network that supports the\n\nfinancial management systems to identify weaknesses in access controls. As part of the\n\npenetration testing, the CPA firms reviewed the adequacy of access controls, which include\n\nlogical and physical controls. Logical access controls involve the use of computer hardware and\n\nsoftware to prevent or detect unauthorized access, such as by hackers, to networks, systems, and\n\nsensitive files by requiring users to input user ID numbers, passwords, and other identifiers that\n\nare linked to predetermined access privileges. Physical controls involve keeping computers in\n\nlocked rooms to limit physical access. The firms\xe2\x80\x99 penetration testing of logical controls found\n\nthat in some cases:\n\n\n\n\xe2\x80\xa2      Open modems and ports were accessible to potential hackers.\n\n\xe2\x80\xa2      Sensitive information on websites was readily accessible.\n\n\xe2\x80\xa2      Sensitive active system services could allow unauthorized access, downloading of files,\n\n       and gathering of information.\n\n\xe2\x80\xa2      Firewall configurations could allow a hacker to introduce a destructive virus.\n\n\n\nIn addition, physical access controls over networks and financial management systems needed\n\nstrengthening. For example, at one location, automated exterior locking systems had not been\n\ninstalled on doors to restrict access, and the key card lock for the data center\xe2\x80\x99s computer room\n\nwas inappropriately placed on the inside of the door, rather than the outside. In addition,\n\npersonnel did not consistently lock and secure their work areas. At another location, hardware\n\nthat processed very sensitive information was located in an area accessible by numerous\n\nemployees and contractors and was not segregated in an individually secure area.\n\n\n\n\n                                                11\n\x0cFor fiscal year 2000, the CPA firms concluded that four operating units had system security\n\nweaknesses that rose to the level of \xe2\x80\x9creportable conditions.\xe2\x80\x9d Taken together, these conditions,\n\ncombined with the Department\xe2\x80\x99s lack of an integrated financial management system, constituted\n\na material weakness in the audit of the consolidated financial statements. In our report on the\n\naudit of the consolidated statements, we recommended that the CIO\xe2\x80\x99s office continue to develop\n\nand implement a database for tracking and reporting on corrective actions planned and taken to\n\naddress the outstanding general controls recommendations. We also recommended that the\n\noffice review, monitor, and provide guidance to the reporting entities on their corrective actions\n\nplanned and taken in response to our current and prior years\xe2\x80\x99 audit reports on general controls.\n\n\n\nWe issued audit reports with recommendations to correct the control weaknesses identified at\n\neach of the seven data processing locations, and the operating units generally agreed with our\n\nrecommendations. The Department and its operating units are required to provide us with audit\n\naction plans that address each of our recommendations. We have reviewed the plans submitted\n\nto date and concur with the actions taken or planned. Moreover, we are in the process of\n\nperforming our annual follow-up of the adequacy of the corrective actions planned or taken.\n\n\n\nIT Security Issues Have Also Been Identified\n\nThrough OIG Inspections and Investigations\n\n\n\nWe have also identified IT security issues through our inspections and investigative work. Our\n\ninspections unit, for example, conducted a 1999 assessment of the Bureau of Export\n\nAdministration\xe2\x80\x99s (BXA) Export Control Automated Support System as part of a larger review of\n\nBXA\xe2\x80\x99s administration of the federal export licensing process for dual-use commodities. While\n\nwe determined that most of the system\xe2\x80\x99s general and application controls were adequate, we\n\n                                                12\n\x0cfound that BXA\xe2\x80\x99s IT security controls could be enhanced by improving database access controls,\n\npreparing a security plan, performing periodic security reviews, officially assigning the security\n\nduties to its security officer, providing all users with current security training, and restricting the\n\nnumber of BXA employees with file manager access. BXA management implemented some\n\ncorrective actions immediately and agreed to take action on our other recommendations dealing\n\nwith the IT security of its licensing system.\n\n\n\nWe are also conducting a series of inspections of the National Weather Service\xe2\x80\x99s weather\n\nforecast offices (WFOs) that have identified a number of IT security issues that need to be\n\naddressed by local managers. Among other problems, we noted that one WFO we visited did not\n\nhave a designated security officer, and office personnel did not follow the Weather Service\xe2\x80\x99s\n\npolicy on IT security. We found other problems, which I cannot describe in detail in a public\n\nhearing, that highlight how vulnerable some systems can be without proper management\n\nattention. Fortunately, the Weather Service has greatly improved its IT security both locally and\n\nnationally since the start of our review. During the past nine months, we visited two other\n\nWFOs. Although we continued to identify some IT security problems, we have found that\n\ndesignated security officers have been named and are receiving necessary training on IT security.\n\nMore importantly, WFO personnel appear to better understand IT security concepts and\n\nrequirements.\n\n\n\nIT security problems have also been identified through our investigative work. Through our OIG\n\nHotline and other information channels, specific incidents or allegations involving IT security\n\nweaknesses, vulnerabilities, or threats have been brought to our attention and examined. For\n\nexample:\n\n\n\n                                                   13\n\x0c\xe2\x80\xa2      In one incident, a foreign hacker penetrated a network server and installed software\n\n       without the knowledge of the system administrator. Had the software been activated, the\n\n       server would have been prevented from performing its normal network services and\n\n       would have been one of many computers simultaneously activated to overload a\n\n       designated Internet site. As a result of the incident, the number of points of access to the\n\n       network was reduced to a bare minimum, and existing monitoring software was activated.\n\n\n\n\xe2\x80\xa2      In another incident, a hacker caused extensive damage to an operating unit server, and it\n\n       took more than 5 work days to repair the server and restore operations. Because the\n\n       software on the server was destroyed, the system administrator was not able to determine\n\n       how the attack had occurred. Security features were added when the software was\n\n       restored, to reduce the risk of another shutdown.\n\n\n\n\xe2\x80\xa2      In a third incident, an after-hours contract cleaning employee used a computer that had\n\n       not been properly secured to gain access to the Internet via a network system and view\n\n       pornographic materials. Coordination with the contracting officer, property manager, and\n\n       president of the contract company resulted in the employee\xe2\x80\x99s immediate removal from the\n\n       facility contract and subsequent termination. In addition, the practice of routinely leaving\n\n       the computer on overnight was discontinued.\n\n\n\nAdditional OIG Reviews of IT Security Matters\n\nAre Either Underway or Planned\n\n\n\nWe are currently conducting IT security evaluations related to (1) the Economics and Statistics\n\nAdministration\xe2\x80\x99s and the Census Bureau\xe2\x80\x99s preparation and release of the Advance Retail Sales\n\n                                                14\n\x0cPrincipal Economic Indicator, (2) the Department\xe2\x80\x99s classified information systems, and (3) the\n\nDepartment\xe2\x80\x99s IT security program and practices, as required by the Government Information\n\nSecurity Reform Act.\n\n\n\nThe objective of our security evaluation of the Advance Retail Sales indicator is to determine\n\nwhether adequate internal controls and system safeguards are in place to prevent the\n\nunauthorized disclosure or use of the economic indicator data before its release to the public. We\n\nhave found that employees dealing with the indicator do not always have appropriate background\n\ninvestigations and that their positions are not always assigned the appropriate level of risk as\n\nrequired by Title 5, Part 731, of the Code of Federal Regulations and OMB Circular A-130. In\n\nsome instances, the Department\xe2\x80\x99s records did not identify the type of investigation done, if any,\n\nfor personnel working on Principal Economic Indicators. We also noted a lack of guidance from\n\nthe Office of Human Resources Management, as well as from the Office of Security, suggesting\n\nthat the problems associated with assigning appropriate risk levels to positions and ensuring that\n\nbackground investigations are performed may exist throughout Commerce. We are conducting\n\nadditional work to examine this issue.\n\n\n\nOur review of the Department\xe2\x80\x99s classified information systems will assess the adequacy of its\n\npolicies for protecting classified information and the effectiveness of its oversight of these\n\nsystems.\n\n\n\nThe GISRA-mandated review is the annual evaluation of the Department\xe2\x80\x99s IT security program\n\nand practices. This evaluation will incorporate information from our security reviews, as well as\n\nresults of related evaluations performed by operating units, GAO, and contractors. We are also\n\ncontinuing our security reviews of Commerce\xe2\x80\x99s financial management systems and related\n\n                                                 15\n\x0cnetworks as part of our fiscal year 2001 financial statements audits. These reviews will be in line\n\nwith our IT security review strategy and will include penetration testing of the U.S. Patent and\n\nTrademark Office and FISCAM reviews for the other operating units.\n\n\n\nThe need for the OIG to provide oversight and evaluation of IT security will be increasingly\n\ncritical in the coming years. Our independent evaluation of the Department\xe2\x80\x99s IT security\n\nprogram being performed under GISRA and our security reviews of the Department\xe2\x80\x99s financial\n\nmanagement systems show that although the Department is giving greater attention to IT\n\nsecurity, serious issues remain to be resolved. These issues appear to be the result of an earlier\n\nlack of attention to IT security, limited resources, and an environment in which the risks, threats,\n\nand vulnerabilities have continued to escalate in number and complexity. The weaknesses\n\nidentified by GAO\xe2\x80\x99s recent network vulnerability analysis of the Department underscore our\n\nconcerns.\n\n\n\nIn our independent GISRA evaluation for the next fiscal year, we plan to evaluate the\n\neffectiveness of operating unit IT security programs and to conduct security evaluations of\n\nspecific general support systems and major applications. We will use the findings of our current\n\nGISRA evaluation and of GAO\xe2\x80\x99s security audit to assist us in identifying specific operating units,\n\ngeneral support systems, and major applications to evaluate in the future.\n\n\n\nCooperative Efforts Needed to Address\n\nIT Security Weaknesses\n\n\n\nI am pleased to note that, just last month, my office entered into a memorandum of agreement\n\nwith the Department\xe2\x80\x99s Office of the CIO and Office of Security to define our respective roles and\n\n                                                 16\n\x0cresponsibilities relating to the development, implementation, and management of the Commerce\n\nIT security program. This agreement is intended to promote a partnership among the three\n\noffices that both ensures complete coverage of IT security matters and prevents wasteful\n\nduplication of effort.\n\n\n\nUnder the agreement, the CIO\xe2\x80\x99s office has the basic responsibility for developing and\n\nimplementing the Commerce-wide IT security program, which includes developing IT security\n\npolicies and procedures, promoting IT security awareness and training, serving as the\n\nDepartment\xe2\x80\x99s critical infrastructure assurance officer, and convening a meeting of the incident\n\nresponse group when incidents or intrusions occur. Commerce\xe2\x80\x99s Office of Security has the\n\nprimary responsibility for security for the Department\xe2\x80\x99s classified systems and, in conjunction\n\nwith the Department of State, for IT security at Commerce overseas posts. My office is\n\nresponsible for conducting investigations of IT incidents and intrusions, and for conducting\n\nreviews of the Department\xe2\x80\x99s IT security program and individual systems, including the annual\n\nindependent evaluations of the program required by GISRA.\n\n\n\nIn closing, it is clear that cooperative, continuous, and concerted efforts are needed by each of\n\nus\xe2\x80\x94and I mean each of us\xe2\x80\x94if we are to address IT security weaknesses. These efforts are\n\nneeded if we are to have any chance of staying at least one step ahead of the hackers and others\n\nthat see IT security as some sort of cat-and-mouse game.\n\n\n\nI am confident that the senior management of the Department and its operating units increasingly\n\nrecognize the need to take a proactive approach to do this. For example, the Secretary\xe2\x80\x99s recent\n\ndirective increasing the authority of operating unit CIOs and making them a more integral part of\n\nthe management team is an important initiative. Likewise, the recent appointment of a Senior\n\n                                                 17\n\x0cAdvisor to the Secretary for Privacy should be instrumental in addressing such issues as cookies,\n\nweb bugs, and other security/privacy matters. And program officials are also being strongly\n\nreminded that they too have key IT security responsibilities and need to work closely with\n\noperating unit CIOs and security officials to ensure an effective security program.\n\n\n\nWe intend to continue our partnership with all of these managers by identifying weaknesses and\n\npotential vulnerabilities in IT security and by searching for ways to improve it. Through this\n\nrelationship, I believe we can help strengthen IT security within the Department.\n\n\n\n                             \xcb\x9c        \xcb\x9c         \xcb\x9c         \xcb\x9c         \xcb\x9c\n\n\nThis concludes my statement. A list highlighting some of the reports we have issued that address\n\nIT security issues is included as an attachment. Mr. Chairman, I would be happy to answer any\n\nquestions you or other members of the Committee might have.\n\n\n\n\n                                                18\n\x0c                                                                                    ATTACHMENT\n\n                           U.S. Department of Commerce\n                            Office of Inspector General\n                  Recent Audit, Inspection, and Evaluation Reports\n                    on Information Technology Security Matters\n\n                                            Evaluations\n1      Office of the Chief Information Officer: Use of Internet \xe2\x80\x9cCookies\xe2\x80\x9d and \xe2\x80\x9cWeb Bugs\xe2\x80\x9d on\n       Commerce Web Sites Raises Privacy and Security Concerns, OSE-14257, April 2001\n2      Office of the Chief Information Officer: Additional Focus Needed on Information\n       Technology Security Policy and Oversight, OSE-13573, March 2001\n3      Office of the Chief Information Officer: Critical Infrastructure Protection: Early\n       Strides Were Made, but Planning and Implementation Have Slowed, OSE-12680, August\n       2000\n4      Bureau of the Census: Computer Security for Transmission of Sensitive Data Should Be\n       Strengthened, OSE-10773, September 1998\n\n                                  Financial Statements Audits\n    [Note: These audits are performed annually; listed below are only the reports covering FY 2000.\n           In addition, the reports on security reviews are not publicly available documents.]\n\n5      Department of Commerce: Consolidated Financial Statements, FY 2000, FSD-12849-1,\n       March 2001\n6      National Institute of Standards and Technology, Improvements Needed in the General\n       Controls Associated with Financial Management Systems, FSD-12859-1, February 2001\n7      Economic Development Administration, Improvements Needed in the General Controls\n       Associated with Financial Management Systems, FSD-12851-1, January 2001\n8      Bureau of the Census, Improvements Needed in the General Controls Associated with\n       Financial Management Systems, FSD-12850-1, January 2001\n9      National Technical Information Service, Improvements Needed in the General Controls\n       Associated with Financial Management Systems, FSD-12857-1, January 2001\n10     Office of the Secretary, Follow-up Review of the General Controls Associated with the\n       Office of Computer Services/Financial Accounting and Reporting System, FSD-12852-1,\n       January 2001\n11     International Trade Administration, Review of General and Application System Controls\n       Associated with the Fiscal Year 2000 Financial Statements, FSD-12854-1, January 2001\n\n\n\n                                                  19\n\x0c12   National Oceanic and Atmospheric Administration, Improvements Needed in the\n     General Controls Associated with Financial Management Systems, FSD-12855-1,\n     December 2000\n13   United States Patent and Trademark Office, Improvements Needed in the General\n     Controls Associated with Financial Management Systems, FSD-12858-1, December\n     2000\n\n                                       Inspections\n14   National Oceanic and Atmospheric Administration: San Angelo Weather Forecast\n     Office Performs Its Core Responsibilities Well, but Office Management and Regional\n     Oversight Need Improvement, IPE-13531, June 2001\n15   National Oceanic and Atmospheric Administration: Raleigh Weather Forecast Office\n     Provides Valuable Services, but Needs Improved Management and Internal Controls,\n     IPE-12661, September 2000\n16   Bureau of Export Administration: Improvements Are Needed to Meet the Export\n     Licensing Requirements of the 21st Century, IPE-11488, June 1999\n17   Office of Security: Vulnerabilities in the Department\xe2\x80\x99s Classified Tracking System Need\n     to Be Corrected, IPE-11630, March 1999\n\n\n\n\n                                            20\n\x0c"